Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,328
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 1 - 20 of 83 CVEs
CVE-2026-56298 MEDIUM - 4.3

Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56293 MEDIUM - 5.4

Capgo before 12.128.2 contains an authorization flaw in transfer_app() that fails to update deploy_history.owner_org when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cau...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56284 MEDIUM - 5.3

Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence a...

Vendor: Cap-go
Product: capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56283 MEDIUM - 5.4

Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint that allows attackers to inject malicious HTML content. Attackers can craft payloads in the organization name field to redirect users to untrusted websites, enabling phishing attacks and reputational...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56250 HIGH - 7.5

Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable app_versions.r2_path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2_path to point to victim objects, soft-delete the attacker-controlled version, and trigger the on_version...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56246 HIGH - 8.1

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key (limited_to_orgs) inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a wri...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56226 HIGH - 7.5

Capgo (Cap-go/capgo) before 12.128.2 exposes the Supabase PostgREST RPC function public.get_orgs_v6(userid uuid), which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the authent...

Vendor: Cap-go
Product: capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56220 MEDIUM - 6.5

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values that are served to devices ...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56217 MEDIUM - 4.3

Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the app_versions table via PostgREST to clear session_key ...

Vendor: Capgo
Product: Capgo
Published: Jul 08, 2026
Source: NVD
CVE-2026-56334 MEDIUM - 4.3

Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_request...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56333 MEDIUM - 4.3

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumven...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56331 MEDIUM - 5.3

Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string value...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56328 MEDIUM - 6.5

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state a...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56327 MEDIUM - 5.3

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56320 HIGH - 7.1

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organizatio...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56318 MEDIUM - 5.3

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observin...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56300 HIGH - 7.5

Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine pe...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56286 HIGH - 8.1

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unaut...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56249 HIGH - 7.6

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upse...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56247 HIGH - 8.8

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform u...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD